Overview

overview

10

Static

static

emotet_pe_1min

windows10-1703-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    110s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-11-2022 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e.dll

  • Size

    534KB

  • MD5

    b6aa1390eb1add1428e901c74a267497

  • SHA1

    00270c43f2ec7e0708b4701fd2592e41dc8c4097

  • SHA256

    f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e

  • SHA512

    d71a36fa2566ce35d5b774b1d4bbe17b649ca9c3f1c26162ade226472439f985423ccc38412809fb260f8d074f32364ba79698085ffec2070a464022fa78015b

  • SSDEEP

    6144:vTKqTS2X5Bc1p7PIvaf66pPfTISFikbOM5pxHAz3SJnzo+28tz3+TThF4Sr:vucOk6pPAkbnjWzazwk3+vh

Score
10/10
emotetepoch5bankerpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f8aa32d30a56e4917a17a16089e7e8a3b41813dec6fb606b868ed644f86ae99e.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SRlMhPPcbUAxT\HkToQUEclRSzx.dll"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:4856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2848-120-0x00000000025E0000-0x0000000002610000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4856-125-0x0000000000000000-mapping.dmp

    Download